Professional Documents
Culture Documents
White Paper
2
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
When you employ web-based services on the Internet, SSL certificates are the
industry standard for authentication and security. Depending on how you plan
to use SSL certificates, multi-use certificates can provide greater flexibility than
traditional certificates. Multi-use certificates protect multiple Fully Qualified
Domain Names (FQDNs) and subdomains, lowering your administrative costs and
simplifying certificate installation, management, and deployment.
When a customer accesses a web page that is hosted on a server with a digital A SSL trust mark or site seal
certificate, their web browser automatically detects the certificate and modifies the lets your customers know that
session. The session moves from an open session that uses Hypertext Transfer a Certificate Authority has
Protocol (HTTP) to a secure HTTP (HTTPS). HTTPS allows for the encryption of all authenticated and verified your
the data sent between the users computer and the server. organization.
3
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
An SSL certificate contains the services Fully Qualified Domain Name (FQDN) and
ties a services domain name to the server. This combination makes it possible for a
browser (or another agent) to compare the domain name that the service accesses
with the domain name of the certificate.
Its also convenient to select static service names because each time a service
name changes, the certificate must change on each server that provides the
service. These strategies reduce the workload associated with periodic renewal and
installation of certificates on your servers.
Services that use subdomain names (names that use the same root, or domain
name, but have a different prefix, or subdomain name) have an additional
maintenance overhead. Because subdomain names are embedded into SSL
certificates, organizations usually buy one certificate per service. If the
organization protects numerous services with unique certificates, this can become
expensive and time-consuming to manage.
Wildcard Certificates
Wildcard certificates are regular SSL Certificates that support the wildcard
character * as a prefix to the FQDN, allowing it to secure multiple services.
Wildcard certificates do not include specific service names and always contain a
wildcard character that prefixes the domain name.
4
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
A wildcard certificate can be more flexible than using multiple single purpose
certificates because you can apply the wildcard certificate to a number of different
services. You can also add, change, or replace services without needing to update
the certificate or purchase new certificates.
For example, suppose you want to protect servers that run an instant communication
protocol like Session Initiation Protocol (SIP) and an email service. With single-use A single wildcard certificatelike
certificates, you need two certificates because you have to embed the name of each *.symantec.comcan secure the
service into each certificate. As long as the domain is the same, however, you can following domains:
secure both services with one wildcard certificate. So the wildcard *.symantec.com www.symantec.com
can secure both sip.symantec.com and mail.symantec.com with just one certificate. finance.symantec.com
mail.symantec.com
Using a wildcard character as a placeholder in the domain name embedded into the sip.symantec.com
certificate makes the certificate more flexible. You can also apply it to any number register.symantec.com
of services since the wildcard character can represent any subdomain name, However, it cannot secure:
simplifying the certificate management process. www.symantec.ca
mail.test.symantec.com
Because wildcard certificates manage multiple subdomains and the services names
they support, they can be less secure than SAN certificates. We do not recommend
their use as the primary certificate solution for enterprises. When you deploy
a wildcard certificate, always make sure that you implement strong logical and
physical policies to protect your assets.
SAN certificates, or UCCs, are useful when organizations want to use different
root or domain names to run Internet-facing services.For example, an organization
that provides internal (sip.symantec.net) and external domain (sip.symantec.com)
unified communications services can use a single SAN certificate to secure both
FQDNs. The organization would need two wildcard certificates because symantec.
net and symantec.com are different domains.
5
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
Another way to use a SAN certificate is when you validate secure internal and
external services.
WILDCARD CERTIFICATES
You might have both an internal and external SIP service for instant messaging: Use a wildcard certificate when you want:
internal sip.symantec.com and external sip.symantec.net. In this situation, you a single domain name for all services
a single domain and multiple
must have a certificate on each server in the internal and external service to allow
subdomains that cover all services
your users to work whether they are in the office or on the road. The same scenario
applies for instant messaging infrastructures where you want to encrypt both
SAN CERTIFICATES
internal and external messages. Note that servers cannot include two certificates
for the same purpose. Use a SAN certificate when you want:
unique domain names for each service
SAN certificates are also useful for application service providers (ASP) who host the option of providing Extended
Validation protection
applications for multiple clients with each client using their own domain name.
By using a SAN certificate, ASPs can use a single certificate to support multiple
clients. Note that the site seal and certificate are only for the primary domain name
entered in the certificate and do not include any of the other domain names. The
certificate includes all of the domain names verified at the time of purchase.
SAN certificates have the same issues as single-purpose certificates. When the
actual service names are embedded into the certificate, your services must always
use the same name otherwise you have to change the certificate. Because the
certificate is a multi-use certificate, you change it on each of the servers that host
the certificate-supported service. When you want to add services to provide further
functionality to your users, you must update the SAN certificate with the new
service names.
6
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
In Summary
Most organizations use a least one public domain name and one private domain
name to segregate their internal and external name spaces. In this case, only SAN
certificates work.
For organizations that only use one single public domain name the wildcard
certificate may be a good option.
7
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
Multiple secure domain Yes Yes Both certificate types support multiple secure domain
support names. Wildcard supports multiple sub domains to one
domain, per certificate. SAN-enabled certificates can
support multiple domain names; the limitation is the
number of SANs per certificate established by the CA.
UCC or SAN support Yes Both certificate types support multiple uses.
8
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
Simplicity of management Yes Wildcard certificates are easier to manage than SAN
certificates because they support any subdomain. SAN
certificates must be updated each time a new domain is
added or an old domain is dropped.
9
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
Browser compatibility 99+% 99+% All modern browsers support both types of certificates.
Validity duration Multi-Year Multi-Year Both certificate types are available for multi-year spans.
Warranty Yes Yes Certificate providers can provide warranties for both
types of certificates.
Shared hosting usage Yes You can only use SAN certificates for shared hosting
because they support multiple domain names.
Quality assurance testing Yes Yes Wildcard certificates can only be used in QA testing
usage environments that use the same domain name. SAN
certificates can be used in environments that use either
the same domain name or multiple domain names.
10
White Paper: Wildcard and SAN: Understanding Multi-use SSL Certificates
Learn More
Symantecs SAN and Wildcard certificates offer a cost-effective, versatile option to
provide SSL-secured communications with a single SSL certificate. Our Secure Site
Wildcard Certificate gives you the flexibility to protect subdomains today and in the
future for one predictable price. Our SAN certificates are recognized by Microsoft
for compliance with Unified Communications (UC) usage for Microsoft Exchange
and Microsoft Office Communications server. Best of all, we offer multiple SSL
certificate options with a single SAN certificate, including Extended Validation,
Secure Gated Cryptography and Intranet SSL.
More Information
Visit our website
http://go.symantec.com.ssl-certificates
About Symantec
Symantec is a global leader in providing security, storage, and systems
management solutions to help consumers and organizations secure and manage
their information-driven world. Our software and services protect against more
risks at more points, more completely and efficiently, enabling confidence
wherever information is used or stored.
Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, BindView, Enterprise Security Manager, Sygate, Veritas, Enterprise Vault, NetBackup and LiveState are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.